Because {cache_block}.cid doesn't include the base_url in the cache key, it's troublesome for sites that are accessible from multiple domains or protocols. (For example if your site is accessible via both HTTP and HTTPS).
It's also a potential security concern: in some configurations attackers can poison the block cache by forging the Host header. Images / links can be replaced with those of an attacker's choosing. (Note: this was discussed within the security team before deciding to fix publicly.)
Steps to reproduce:
(This assumes you have not explicitly set $base_url in settings.php, and that your Drupal site is the default virtual host.)
- Create a block with this PHP code:
<img src="<?php print file_create_url('sites/default/files/test.png'); ?>" />
(This is just a demo - a more realistic scenario would be a View that displays an Image Field)
- Enable block caching, set this test block to BLOCK_CACHE_GLOBAL
- Run this curl command: curl -H'Host: evil.com' example.com
- Visit example.com in your browser; you'll see the cached version of the block with evil.com as the image source. In addition to replacing the image, evil.com now has access to the victim's browsing activity via the referrer logs.
Note - the patch is for D6. Also tagging as infrastructure, this may help with #952578: Fix any references to non https resources, fix redirects to avoid double encoding url parameters
Comment | File | Size | Author |
---|---|---|---|
cache_block_base_url-D6.patch | 1.06 KB | grendzy | |
Comments
Comment #1
aspilicious CreditAttribution: aspilicious commentedWhy is this 7.X than? if its a d6 patch o_O. If this needs to be fixed in 7.X or 8.X move it to 8.x with status needs work.
Comment #2
grendzy CreditAttribution: grendzy commentedafaik, it's still in D8.
Comment #5
jhedstromI cannot reproduce this in D8. I didn't test with the php module, but instead added a view footer to the front page (using the [site-url] token. When I grab the front page from a different domain
(eg, evil.com), it uses that as the site url, but when I revisit the normal domain, that url doesn't persist.
Comment #6
grendzy CreditAttribution: grendzy at Metal Toad commentedCool. In any case, I think this is effectively mitigated in D8 by
$settings['trusted_host_patterns']
.Still an issue in D7:
https://api.drupal.org/api/drupal/modules%21block%21block.module/functio...